how the cybersecurity maturity model certification cmmc
play

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL - PowerPoint PPT Presentation

Sep 18, 2022 •258 likes •1.16k views

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION HOUR WEBINAR April 24, 2020 4/24/20 WEBINAR ETIQUETTE PLEASE Log into the GoToMeeting session with the name that you registered with online

  1. HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION HOUR WEBINAR April 24, 2020 4/24/20

  2. WEBINAR ETIQUETTE PLEASE  Log into the GoToMeeting session with the name that you registered with online  Place your phone or computer on MUTE  Use the CHAT option to ask your question(s).  We will share the questions with our guest speaker who will respond to the group THANK YOU! 4/24/20 Page 2

  3. ABOUT WPI SUPPORTING THE MISSION Celebrating 32 Years of serving Wisconsin Business! 4/24/20 Page 3

  4. Assist businesses in creating, developing and growing their sales, revenue and jobs through Federal, state and local government contracts.  INDIVIDUAL CONSELING – At our offices, at clients facility or via telephone/GoToMeeting  SMALL GROUP TRAINING – Workshops and webinars  CONFERENCES to include one on one or roundtable sessions Last year WPI provided training at over 100 events and provided service to over 1,200 companies WPI is a Procurement Technical Assistance Center (PTAC) funded in part by the Defense Logistics Agency (DLA), WEDC and other funding sources. 4/24/20 Page 4

  5. WPI OFFICE LOCATIONS  MILWAUKEE  OSHKOSH   Fox Valley Technical College Technology Innovation Center  Greater Oshkosh Economic Development Corporation  MADISON  EAU CLAIRE  FEED Kitchens   Western Dairyland Dane County Latino Chamber of Commerce  Wisconsin Manufacturing Extension Partnership  MENOMONIE (WMEP)  Madison Area Technical College (MATC)  Dunn County Economic Development Corporation  CAMP DOUGLAS  LADYSMITH  Juneau County Economic Development  Indianhead Community Action Agency Corporation (JCEDC)  RHINELANDER  STEVENS POINT  Nicolet Area Technical College  IDEA Center  GREEN BAY  APPLETON  Advance Business & Manufacturing Center  Fox Valley Technical College 4/24/20 Page 5

  6. www.wispro.org 4/24/20 Page 6

  7. CMMC How the Cybersecurity Maturit ity Model Certif ification (C (CMMC) Will ill Im Impact Your Business Marc N. Violante Wisconsin Procurement Institute April 24, 2020

  8. 8 What we know - Current Cyber Obligations • 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems • 252.204-7008 - Compliance with safeguarding covered defense information controls • 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting • DON – Geurts memos – CDRL requirements • Other requirements 4/24/2020

  9. Information Security 9 Obligations/Requirements • 252.204-7000 – Disclosure of Information • DOD Directive 5230.25 Withholding of Unclassified Technical Data from Public Disclosure • DOD Instruction 5230.24 Distribution Statements on Technical Documents • Canadian Technical Data Control Regulations (TCDR) • State Department, Directorate of Defense Trade Controls • Commerce Control List • DLA Requirements – • DLA Export Control Data Access 4/24/2020

  10. 10 What we don’t know • New DFARs (Strategic Assessment) – in addition to 252.204-7012 • Definitions of/examples of products/services contained in each level • Examples of good-acceptable policies/procedures • Certification process – “is there more than one correct answer?” • Timing • Inclusion in RFQs/RFPs • Specified CMMC v1.x? • Assessor process, engagement, scheduling, cost • CMMC Level repository, access to and/or use • Clarity with respect to trainers/consultants/etc • “Oklahoma Land Rush” – caveat emptor 4/24/2020

  11. 11 CMMC – How much information to expect? • Some thoughts • CMMC v1.2 is published • DFARS 252.204-7012 is current • DFARS “Strategic Assessment” – draft rule yet to be published • CMMC (Level – 1:5) – award determination • Procurement information can be CUI - https://www.archives.gov/cui/registry/category-detail/procurement-acquisition.html • Banner Format: CUI//Category Marking//Limited Dissemination Control • Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs and direct labor rates. • Banner Format: CUI//Category Marking//Limited Dissemination Control • Per FAR 2.101: any of the following information that is prepared for use by an agency for the purpose of evaluating a bid or proposal to enter into an agency procurement contract, if that information has not been previously made available to the public or disclosed publicly: (Items 1- 10). 4/24/2020

  12. 12 CMMC – it’s about the “it’s” • It’s not static – it will evolve • It’s not a one size fits all – • Different companies, • Different requirements • Level of complexity • Programs need to be • Tailored • Monitored – evaluated • Updated - refreshed • It’s not a checklist – Critical Thinking dominant theme 4/24/2020

  13. 13 Topics to consider • Tunnel vision – • Singular focus on CMMC (lack of integration with other requirements) • Lack of investment • time | training | other resources | situational awareness – what’s changing? • Mindset • What’s important • Certification via delegation (designation) • Lack of active involvement by top management 4/24/2020

  14. 14 What are the main issues (barriers) • Familiarity – What if the question (perspective) were changed? • Understanding of – • Technology • Terms • Threat • How/why process and/or procedures work • How does a process solve a problem? • Why is documentation needed? • How much is enough? • What am I trying to show (demonstrate)? • Why can’t I just say – we are doing that? 4/24/2020

  15. 15 The desired end state • build • a cyber-safe, defense industrial base • cyber-secure and • cyber-resilient Another idea that has been frequently used has been the concept of Critical Thinking Ellen M. Lord, Assistant Secretary of Defense for Acquisition, Press Briefing transcript, January 31, 2020 4/24/2020

  16. 16 CMMC (FCI v. CUI) – important details Controlled Unclassified Information (CUI) Federal Contract Information (FCI) • DFARS 252.204-7012 • FAR 52.204-21 • Adequate Security (NIST 800-171 r2) • 15 FAR elements map to 17 • Malware ID | Capture | “defang” |share CMMC elements • Monitor for incidents • Flowdown – substance of clause • Report generation – • CMMC v1.2 • Medium Assurance Certificate • Forensics – freeze 90 days • “Include this clause, including this paragraph (m)” • CMMC v1.2 – NIST 800-171 r2 + rev b 4/24/2020

  17. 17 Apply definitions – track source dates • the subcontractor may have Federal contract information residing in or transiting through its information system. • FAR 52.204-21 • “Covered contractor information system” means an Compare unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. • DFARS 252.204-7012 • SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019) • CDI = CTI + CUI 4/24/2020

  18. 18 Background – maturity model • In general, a maturity model is a set of • characteristics, • attributes, • indicators, • or patterns • that represent capability and progression in a particular discipline. • provides a benchmark against which an organization can evaluate the current level of capability of its • processes, practices, and methods and set goals and priorities for improvement. https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf pg 4 4/24/2020

  19. 19 CMMC – definition of a policy https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf B-2 4/24/2020

  20. 20 Contract Information General Relationships Public Non Public No Restriction DoD New DFARS Company Customer DFARS ~ Strategic Proprietary Information Assessment 252.204-7000 Distribution List FCI (L1) CUI (L3-L5) DFARS FAR Other 252.204-7008 Requirements 52.204-21 252.204-7012 4/24/2020

  21. 21 New DFARS 4/24/2020

  22. 22 Information Security - today • Categories of information – • Federal Contract Information • Covered Defense Information = CTI & CUI • Controlled Unclassified Information • Impact Level • Export Controlled • JCP • ITAR • Other • Corporate – internal • Customer – contract/proprietary 4/24/2020

  23. 23 Commonalities • There are requirements – regulations • These apply to different categories of information ID & mark ID/Know Tailored Apply program Monitor & each and Program training for requirements Update as every Requirements staff to information needed document 4/24/2020

  24. 24 CMMC – DoD’s perspective Department of Defense Press Briefing by Undersecretary of Defense for Acquisition and Sustainment Ellen M. Lord Oct. 18, 2019 4/24/2020

  25. 25 Slight Change 4/24/2020

  26. 26 Become familiar with references Specifications for Minimum Security Requirements FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems; pg 2 4/24/2020

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cybersecurity Maturity Model Certification (CMMC) CMMC Model v1.0 31 January 2020 DISTRIBUTION

Cybersecurity Maturity Model Certification (CMMC) CMMC Model v1.0 31 January 2020 DISTRIBUTION

Cybersecurity Maturity Model Certification (CMMC) CMMC Model v1.0 31 January 2020 DISTRIBUTION A. Approved for public release Without a Secure Foundation All Functions are at Risk Cost, Schedule, and Performance are only effective in a SECURE

481 views • 15 slides
HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION HOUR WEBINAR March 20, 2020 3/20/20 WEBINAR ETIQUETTE PLEASE Log into the GoToMeeting session with the name that you registered with online

1.1k views • 73 slides
HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION

HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION HOUR WEBINAR May 29, 2020 5/29/20 WEBINAR ETIQUETTE PLEASE Log into the GoToMeeting session with the name that you registered with online

1.26k views • 100 slides
CYBERSECURITY MATURITY MODEL CERTIFICATION V1.0 PRESENTED TO: DEFENSE ALLIANCE OF NC S&T

CYBERSECURITY MATURITY MODEL CERTIFICATION V1.0 PRESENTED TO: DEFENSE ALLIANCE OF NC S&T

NORTH CAROLINA MILITARY BUSINESS CENTER CYBERSECURITY MATURITY MODEL CERTIFICATION V1.0 PRESENTED TO: DEFENSE ALLIANCE OF NC S&T FORUM 13 FEB 2020 WWW.NCMBC.US What is CMMC? Unified cybersecurity standard for DoD acquisition

390 views • 22 slides
DOD Clarifies Contractor Cybersecurity Certification Process By Amy Conant Hoang and Sarah Burgart

DOD Clarifies Contractor Cybersecurity Certification Process By Amy Conant Hoang and Sarah Burgart

DOD Clarifies Contractor Cybersecurity Certification Process By Amy Conant Hoang and Sarah Burgart On Nov. 8, the U.S. Department of Defense publicly released an updated draft of the Cybersecurity Maturity Model Certification, or CMMC,

249 views • 7 slides
DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies

DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies

DOD Clarifies Contractor Cybersecurity Certification Again By Amy Conant Hoang, Erica Bakies and Sarah Burgart On Dec. 12, the U.S. Department of Defense publicly released an updated draft of the Cybersecurity Maturity Model Certification, or

253 views • 4 slides
KLU Building a Maturity Model A Maturity Model WHAT ARE MATURITY MODELS? Maturity means

KLU Building a Maturity Model A Maturity Model WHAT ARE MATURITY MODELS? Maturity means

KLU Building a Maturity Model A Maturity Model WHAT ARE MATURITY MODELS? Maturity means ripeness and describes the transition from an initial to a more advanced state of a process, project, etc. Maturity Models reflect the degree to

399 views • 26 slides
CYBERSECURITY CERTIFICATION PROGRAMS Workforce Training Need 30% more computer and network

CYBERSECURITY CERTIFICATION PROGRAMS Workforce Training Need 30% more computer and network

CYBERSECURITY CERTIFICATION PROGRAMS Workforce Training Need 30% more computer and network workers needed from 2008 to 2018 1 ; 433 New Mexico IT job postings in 2012 for security- specific positions 2 ; 110,000 information assurance

144 views • 11 slides
Organizing for Innovation Excellence Introduction to an International Innovation Maturity Model

Organizing for Innovation Excellence Introduction to an International Innovation Maturity Model

Organizing for Innovation Excellence Introduction to an International Innovation Maturity Model Product Development and Management Association 1 Why should organizations implement an Innovation Maturity Model? Commoditization is

428 views • 25 slides
Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans

Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans

Framework for Improving Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans Education & Training Publishing April 5, 2016 Conferences & Exhibits 1 A Brief Commercial Interruption

507 views • 31 slides
MEMBERSHIP OPPORTUNITIES & ENGAGEMENTS Working Groups Certification Policy

MEMBERSHIP OPPORTUNITIES & ENGAGEMENTS Working Groups Certification Policy

MEMBERSHIP OPPORTUNITIES & ENGAGEMENTS Working Groups Certification Policy Automotive Cybersecurity Connected Vehicle Certification Tolling Certification Emerging Technologies Events Plugfests

681 views • 17 slides
Cybersecurity Capacity Assessment of the Republic of Kosovo

Cybersecurity Capacity Assessment of the Republic of Kosovo

Cybersecurity Capacity Assessment of the Republic of Kosovo Lara Pace Kosovo June 2015 CMM - Five Dimensions Levels of Maturity

898 views • 23 slides
https://www.nasa.gov/aamnationalcampaign UAM Maturity Levels (UML) UAM Framework and Barriers NC

https://www.nasa.gov/aamnationalcampaign UAM Maturity Levels (UML) UAM Framework and Barriers NC

https://www.nasa.gov/aamnationalcampaign UAM Maturity Levels (UML) UAM Framework and Barriers NC Series Focus Vehicles Airspace Community Late-Stage Certification Testing and Operational Demonstrations in Limited Environments Aircraft

683 views • 15 slides
INFORMS Analytics Maturity Model Rocky Mountain INFORMS Chapter Meeting Denver CO| May 28, 2014

INFORMS Analytics Maturity Model Rocky Mountain INFORMS Chapter Meeting Denver CO| May 28, 2014

INFORMS Analytics Maturity Model Rocky Mountain INFORMS Chapter Meeting Denver CO| May 28, 2014 Norm Reitter, Director of Analytics CANA Advisors, nreitter@canallc.com INFORMS AMM Committee Chair 1 INFORMS Analytics Maturity Agenda

419 views • 14 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Towards development of a toplevel TC/268 maturity model TC268 Working Group 4: Page 1

Towards development of a toplevel TC/268 maturity model TC268 Working Group 4: Page 1

08/03/2018 Towards development of a toplevel TC/268 maturity model TC268 Working Group 4: Page 1 Strategies for smart and sustainable communities Introduction At the Paris meeting of TC/268, the UK suggested that it would be helpful

472 views • 7 slides
Offshoring Matu turity Model (OMM) Off-shor ore develo lopment t ce cente ter (ODC) Services

Offshoring Matu turity Model (OMM) Off-shor ore develo lopment t ce cente ter (ODC) Services

Sanganak Software Offshoring Matu turity Model (OMM) Off-shor ore develo lopment t ce cente ter (ODC) Services India Setu tup & Operation ations @ India ia by Sanganak Software Serv rvices In India 1 Off-shore development center

789 views • 29 slides
Supporting statisticians in getting the message across Andres Vikat Global Forum on Gender

Supporting statisticians in getting the message across Andres Vikat Global Forum on Gender

Supporting statisticians in getting the message across Andres Vikat Global Forum on Gender Statistics Tokyo, 14-16 November 2018 . For statistical organizations It is no longer enough just to collect and produce statistics. To

732 views • 19 slides
From Emotion Analysis and Topic Extraction to Narrative Modeling Andreea Kremm Mohammed Ibraaz

From Emotion Analysis and Topic Extraction to Narrative Modeling Andreea Kremm Mohammed Ibraaz

From Emotion Analysis and Topic Extraction to Narrative Modeling Andreea Kremm Mohammed Ibraaz Syed About us q Andreea Kremm Founder of Netex Group (www.netex.ai) M.Sc. Psychology (University of Roehampton, London) Research Interests:

602 views • 27 slides
First-Year Courses for Undeclared Students: Using Civic Engagement and Partners to Enhance

First-Year Courses for Undeclared Students: Using Civic Engagement and Partners to Enhance

First-Year Courses for Undeclared Students: Using Civic Engagement and Partners to Enhance Quantitative Reasoning Rob Catlett Department of Math, Computer Science, and Economics Stacey Braun Student Advising Center ckgrounds. According to

899 views • 36 slides
Matching DS Organizational Maturity to DS Skills to Optimally Grow Your Team Jesse Spencer-Smith,

Matching DS Organizational Maturity to DS Skills to Optimally Grow Your Team Jesse Spencer-Smith,

Matching DS Organizational Maturity to DS Skills to Optimally Grow Your Team Jesse Spencer-Smith, PhD Director of Data Science, Clinical Services Group CONFIDENTIAL Contains proprietary information. 1 | Clinical Services Group Not

651 views • 48 slides
Official Information Capability Development Toolkit Workshop December 2017 Workshop outline

Official Information Capability Development Toolkit Workshop December 2017 Workshop outline

Official Information Capability Development Toolkit Workshop December 2017 Workshop outline Brief overview of the toolkit How to use it Two pilot agency presentations on their experiences of using the toolkit Opportunity to

608 views • 17 slides
SCALING INTEGRATED CARE IN CONTEXT DR ANDREA PAVLICKOVA EUROPEAN SERVICE DEVELOPMENT MANAGER NHS

SCALING INTEGRATED CARE IN CONTEXT DR ANDREA PAVLICKOVA EUROPEAN SERVICE DEVELOPMENT MANAGER NHS

SCALING INTEGRATED CARE IN CONTEXT DR ANDREA PAVLICKOVA EUROPEAN SERVICE DEVELOPMENT MANAGER NHS 24, SCOTLAND 1 @ SCIROCCO_EU @ SCIROCCO_EU SCIROCCO Project EU Health Programme (CHAFEA) Budget: 2,204,631.21 Start: 1 April 2016

827 views • 17 slides
Adaptation to Climate Change Adaptation to Climate Change Impact in China Impact in China - A

Adaptation to Climate Change Adaptation to Climate Change Impact in China Impact in China - A

Adaptation to Climate Change Adaptation to Climate Change Impact in China Impact in China - A Case Study on Flood Damage for Investment Decision-making March 2001 Introduction Objectives Model Structure Scenarios Analysis

909 views • 35 slides

More recommend